1. Field of Invention
Embodiments of the invention relate in general to the field of data communication. More specifically, the embodiments relate to methods and systems for generating a control key that is to be appended with a data packet being transmitted through different software/hardware modules of an integrated network security device.
2. Description of the Background Art
In the world of data packet switched network appliances, different security technologies (VPN, Firewall, IDS) are merging on a single platform. This results in data packets undergoing many operations while being transmitted through the integrated network security device. Network appliances save dynamic information in the form of per-connection objects. Connections are first filtered through a classification engine, which determines what applications (also called plug-in modules, functionalities or operations) are to be applied to [1] data packets belonging to that connection. The decision, regarding the applications to be applied, is then stored in the connection object as a control key.
The control key is retrieved from the connection object and parsed, in order to apply the required operations to the data packets of a connection. A dispatcher unit processes the control key and sends the data packets to the required applications, in the order specified by the control key. The control key stores the processing state of the given packet, i.e. it stores which operations have already been performed and which operations need to be performed.
Since the total storage required for the connection objects is proportional to the key size, minimizing the size of the control key would reduce the total amount of memory required to store the connections database. Since millions of connection objects are stored in the device memory, minimizing the size of the control key would increase the number of connection objects that can be stored in a given memory.
Various techniques are adopted in the art, to minimize the size of the control key. One technique is to provide flexibility to the order of the applications sequence, which results in an increase in the size of the control key. However, the control key has to be engineered in such a way that while its size is minimized, its functioning is not affected.
A conventional technique, available in the art, to maximize the flexibility of the control key is the horizontal microcode. The horizontal microcode is formed of bit groups that are directly translated to the operations being referred to by these bit groups. This technique allows all the possible combinations of operations and their ordering, at the expense of larger instruction sets. However, usage of this technique has usually been restricted to the lowest level of software technology and has not been used in high-speed embedded systems, such as integrated security devices for data packet processing. [1]
Another conventional technique, available in the art, to minimize the size of the control key is vertical microcodes. The vertical microcode consists in encoding the software modules being applied to a given data packet, in an invariable order, using bits. This technique allows all possible operations to be encoded, but only in a unique invariable and specific (hard coded) ordering schema.
A third conventional technique consists in encoding each combination of operations with a unique identifier. For example, if {a,b} corresponds to all possible operations, all possible combinations are coded as {a}=1, {b}=2, {a,b}=3, {b,a}=4, {a,a}=5, {b,b}=6. This technique provides the maximum level of ordering flexibility using a minimum control key size, at the expense of a more complex control key decoding mechanism requiring a higher CPU usage. However, this technique would require a complex state machine to store the current state of the processing. i.e. transforming the key such that only the remaining operations to a given packet are stored in the new control key. This functionality is, although theoretically possible, complex and non-scalable.